Skip to main content

Microsoft Office for Android CVE-2026-45649

| EUVDEUVD-2026-35693 HIGH
Improper Access Control (CWE-284)
2026-06-09 secure@microsoft.com GHSA-4363-fqg7-xrx3
7.1
CVSS 3.1 · Vendor: microsoft
Temporal: 6.2
Share

Severity by source

Vendor (microsoft) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.2 MEDIUM
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 18:02 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.1

DescriptionCVE.org

Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.

AnalysisAI

Local spoofing in Microsoft Office for Android lets an unauthorized attacker manipulate trust-affecting content or identity indicators after a user interacts with malicious input on the device. The CVSS 7.1 score reflects high confidentiality and integrity impact with no special privileges required, though the local attack vector and required user interaction limit remote exploitability. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Technical ContextAI

The flaw is rooted in CWE-284 (Improper Access Control), meaning Office for Android fails to correctly enforce restrictions on who can perform an action or what content can claim a given identity within the app. On Android, Office components typically rely on the platform's permission model, intent filters, content providers, and signed manifest data to mediate access between activities and documents. A CWE-284 weakness in this context generally indicates that an attacker-controlled component on the same device (another app, a crafted document, or a manipulated intent) is able to bypass intended access boundaries and present itself as something it is not - enabling the spoofing outcome called out by Microsoft. The lack of CPE data in NVD means specific affected build numbers must be retrieved directly from the Microsoft Security Response Center advisory.

RemediationAI

Patch available per vendor advisory - install the latest version of Microsoft Office for Android from the Google Play Store and consult the MSRC entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45649 for the exact fixed build numbers, which are not enumerated in the public NVD data. As compensating controls until updating, restrict Office for Android to managed-app deployment via Intune or another MDM so unknown apps cannot share intents/files with it, disable opening documents from untrusted sources, and instruct users not to interact with unexpected Office prompts originating from links or files received via messaging apps. Side effects: MDM-only deployment reduces user flexibility, and blocking external file opens will break legitimate workflows that rely on sharing documents from other apps.

More in Excel

View all
CVE-2015-0097 CRITICAL POC
9.3 Mar 11

Microsoft Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Excel 2010 SP2, PowerPoint 2010 SP2, and Word 2010 SP2 all

CVE-2015-2523 CRITICAL POC
9.3 Sep 09

Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel for Mac 2011 and 2016, Office Compati

CVE-2013-1315 CRITICAL POC
9.3 Sep 11

Microsoft SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013; Office Web Apps 2010; Excel 2003 SP3, 2007 SP3, 2010 S

CVE-2015-2521 CRITICAL POC
9.3 Sep 09

Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility Pack SP3, and Excel Viewer allow remote attackers to exec

CVE-2015-2520 CRITICAL POC
9.3 Sep 09

Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel for Mac 2011 and 2016, Office Compatibility Pack SP3, and Excel Viewer a

CVE-2012-2543 CRITICAL
9.3 Nov 14

Stack-based buffer overflow in Microsoft Excel 2007 SP2 and SP3 and 2010 SP1; Office 2011 for Mac; Excel Viewer; and Off

CVE-2012-1885 CRITICAL
9.3 Nov 14

Heap-based buffer overflow in Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Office 2008 and 2011 for Mac; an

CVE-2013-3889 CRITICAL
9.3 Oct 09

Microsoft Excel 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Off

CVE-2012-0185 CRITICAL
9.3 May 09

Heap-based buffer overflow in Microsoft Excel 2007 SP2 and SP3 and 2010 Gold and SP1, Excel Viewer, and Office Compatibi

CVE-2012-1847 CRITICAL
9.3 May 09

Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2008 and 2011 for Mac; Excel Viewer; and Offic

CVE-2012-1886 CRITICAL
9.3 Nov 14

Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Excel Viewer; and Office Compatibility Pack SP2 and SP3 allow

CVE-2012-0142 CRITICAL
9.3 May 09

Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2008 for Mac; Excel Viewer; and Office Compati

Share

CVE-2026-45649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy